Topics

Is a known issue or something bad on my setup/steps? 

Using OPNsense 17.7.11-amd64 with PPPOE, I'm able to click RELEASE followed by RENEW on the INTERFACES:OVERVIEW page on the specific port and all works as expected after that.

However, when doing that RELEASE / RENEW on a DHCP connection (not pppoe), the link comes up, gets an IP, but no surfing is possible!

Comparing netstat -rn, before/after, shows that a single line is missing..... for the default gateway!

default x.y.z.q   UGS   igb1

The solution is to ssh into the opnsense box, and add a default gateway, e.g:

route add default x.y.z.q

and boom immediately all works fine..

Any thoughts welcomed..

Stormy.

I got 17.7.1 configured with LAN + WIFI as well as BRIDGE0 on both.

All clients can ping one another EXCEPT a wifi client cannot ping another wifi client.

I suspect this is some firewall rule that needs to be added, but i have no clue how to do that...

sorry if this is in the docs :)

just to be clear:

1) Lan can ping all other lan clients
2) lan can ping all wifi clients
3) wifi can ping all lan clients
4) wifi client cannot ping any other wifi client

Thanks in advance.

Stormy

Hi there!!

I'm using 17.1.7, and configured a wifi adapter

Code Select Expand

ath0@pci0:4:0:0:        class=0x028000 card=0x2091168c chip=0x002e168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9287 Wireless Network Adapter (PCI-Express)'
    class      = network


Set everything to DEFAULT in the gui, but, every few hours the connection drops, and on android clients getting:

Authentication problem.... and cannot log in.

The "fix", is very simple, I go to the OPN GUI, find the WIFI adapter, scroll to bottom of page, click SAVE.  Then on top APPLY changes, and INSTANTLY, connections are possible using that wifi adapter.

running clog wireless.log does not show anything out of the ordinary, lots of these, but i think this is normal:

Code Select Expand

May 27 09:53:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 09:58:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:03:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:08:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:13:35 OPNsense hostapd: ath0_wlan1: WPA GMK rekeyd
May 27 10:13:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:18:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:23:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:28:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK


I have not yet been able to find/correlate the logs to when the connection initially drops.

What I did do is capture ifconfig BEFORE and AFTER the above APPLY in gui, and this is the difference:

Code Select Expand

# diff ifconfig-b4apply.lis ifconfig-afapply.lis
53,55c53,55
<       privacy MIXED deftxkey 3 AES-CCM 2:128-bit AES-CCM 3:128-bit
<       txpower 20 scanvalid 60 protmode OFF ampdulimit 64k ampdudensity 8
<       shortgi burst -apbridge dtimperiod 1 -dfs
---
>       privacy MIXED deftxkey 2 AES-CCM 2:128-bit txpower 20 scanvalid 60
>       protmode OFF ampdulimit 64k ampdudensity 8 shortgi burst -apbridge
>       dtimperiod 1 -dfs


So, some changes are visible, but not sure what to make of that...

Here is the relevant GUI wifi setup, I've hidden the password field with **** :)

Any tips/ideas are welcomed..

Stormy.

I'm "simply" trying to setup wifi on opnsense/latest 17.1.4.  After months of failed attempts with Broadcom, ordered Atheros and card immediately recognized by the OS/and UI, ath0, so went to:

Interfaces->Wireless->Devices, and set it up, all looks ok there, then moved to ASSIGNMENTS and added a new interface, it was called OPT5, i've renamed it to WIFI to make it easier to remember.

So "WIFI" maps to "ath0_wlan1 (Wifi)" in the assignment page..

In Overview page the interface appears as:

Code Select Expand

WIFI interface (opt5, ath0_wlan1)
Status no carrier
MAC address 74:f0:6d:xx:xx:xx - AzureWave Technologies, Inc.
IPv6 Link Local fe80::76f0:6dff:fe0d:xxxx
Media autoselect
Channel 7
SSID STAR2


Notice the "no carrier"...  going into "WIRELESS" tab and clicking "STATUS" RESCAN does not find any other wifi in the area even though there are some wifis..

Also, i cannot find that SSID "STAR2"..

So, decided to reboot, after that, could not access the internet nor ssh into opnsense box :) :)

from console typed:

ifconfig ath0_wlan1 down

and then could ssh into the box/ssh, and internet is working.

The question is why the wifi disabled internet/access to box??

Thought maybe need to bridge the wifi + bridge0 (which already has LAN1 LAN2 ports), but that fails with:

Code Select Expand

Bridging a wireless interface is only possible in hostap mode.


I understand security, but why does it have to be so complex?  Just want the wifi to be an extension to the LAN, security WPA2 already is "good enough" for my needs.

Is there any way to do this with opnsense? any docs/references?

for now, disabled the wifi :)

Thanks, Stormy.

PS: Also tried such guides which are pfsense: https://www.cyberciti.biz/faq/howto-configure-wireless-bridge-access-point-in-pfsense/

to no avail...

I got a pretty simple reproducible case.

1) opnsense box is at 192.168.1.2

2) connected to a swtich, which holds a cisco voip phone with DHCP/IP set on the opnsense to always be 192.168.1.82

3) The cisco phone cannot make the vpn connection, unless an out-NAT rule is added, that is working fine.

4) upon ISP outage, the opnsense, re-establishes internet connection, HOWEVER, the cisco voip fails to re-connect/authenticate despite the fact that a) it was running days before that w/o any issues, and b) all network is restored to all other devices c) the outbound NAT rule is in place.

5) I've debugged that for few months, and narrowed the issue to the fact that the opnsense box (192.168.1.2) cannot PING the cisco phone 192.168.1.82, after such outage, despite the fact that OTHER machines on the same switch can ping the cisco's IP just fine, before, and after outage..  Also, the 192.168.1.82 IP is marked as allocated to the cisco phone, and 'arp' output on the opnsense and another random PC agree on the cisco's MAC address, e.g.  opnsense:

Code Select Expand

? (192.168.1.82) at 08:cc:68:xx:xx:xx on bridge0 expires in 1176 seconds [bridge]
?

From random PC that can ping it:

Code Select Expand

192.168.1.82          08-cc-68-xx-xx-xx     dynamic


6) The "workaround" of course is to reboot the cisco voip, and then it works fine, however, that was not the case with my prior (hiding: tomato) firmware..

Is there any chance someone can help debug this? why is the ping working for the random PC, yet it does not for the opnsense box, which i suspect is the reason for the failure of the cisco phone to build the vpn tunnel..

Appreciate any tips.
Stormy.

Using 17.1RC1, trying to setup freeDNS which I assume refers to: https://freedns.afraid.org/

entering some hostname and user/password getting these in system.log when forcing update:

Jan 30 12:10:44 OPNsense opnsense: /services_dyndns_edit.php: Dynamic DNS (myhost.mine.to): PAYLOAD: ERROR: Invalid update URL (2)
Jan 30 12:10:44 OPNsense opnsense: /services_dyndns_edit.php: Dynamic DNS (myhost.mine.to): (Unknown Response)

From my experience on tomato based firmwares, it is possible to enter only the system generated TOKEN (withOUT any user/password information), tried that instead of the hostname, and got same error with the token name in place of the hostname.

Thinking, ah, maybe it wants the full URL, so entered this url obtained from afraid.org:

http://freedns.afraid.org/dynamic/update.php?Long-uuid-token

and then got this from the UI:

"The following input errors were detected:
    The Hostname contains invalid characters"

going to Docs. no hits for freedns: https://docs.opnsense.org/search.html?q=freedns&check_keywords=yes&area=default

no hits for dyndns, or even.. dns??

docs w/o search, not much help there.

Has anyone configured freedns correctly on OPNSense 17.1rc1?

On Tomato/firmware (sorry for the comparison) one only needs to enter a TOKEN for freeDNS service (afraid.org), but in opnsense, it seems user & password are required..

Is that secure? I'm assuming you post the request as https..   

and to get token implemented, is that by opening a git issue? or some other way.

Highly useful if you need to reach your boxes remotely.

Stormy..

Was renaming the WAN interfaces's description in the UI, all of sudden noticed network is down.. looking at the console, see this crash, Fatal trap 12: page fault while in kernel mode
thread pid 12 tid 100005

more in the photos here: http://imgur.com/a/qJrSY

one has "ps" (showing pid 12) along with "bt" on same screen.

Stormy

I was running into several issues on 17.1RC1, and wanted to test on 16.7, so kept re-imaging, but that got tired after the 3rd time :) :)  Since I got one box, thought how to run them "in dual boot".

My box has a builtin SSD (128GB) with 17.1 now installed, and there is no way to install on a partition is my understanding.

Folks suggested to install the 16.7 on a USB stick, so took a 32GB and installed, but, during boot, the menu clearly shows version 16.7, i.e. from the USB, then selecting "1", and it boots, but eventually I get into the 17.1 login prompt.. There is no crash or restart, and I'm pretty certain I did install the 16.7 into that USB stick, otherwise how would it show that 16.7 boot prompt :)

running "df" and all shows as if it's the 17.1rc1...

not sure why that is the case, and how to simply run both in dual mode, appreciate any experiences from others.
Stormy./

I'm totally new to this area, went to docs.opnsense.org, hit many keywords, and found not much.  I'm not sure if this is b/c docs are not there, OR maybe the search/index is broken. 

One suggestion is to go after 10-50 keywords, and make sure that they return the correct docs..  some words that come to mind would be network related like:  sshd, pppoe, multiwan, etc. etc.  these all return almost nothing, or not relevant things.

Same suggestion goes to the Web UI, searching on TOP/right, should find things like: "ssh, secure, etc." and many more that right now return nothing, but they do exist, just hard to find for new comers.  Maybe if it searched ALL the attributes, not just the high-level headers, that would be better? not sure. something to consider maybe.

Stormy.

I've setup pppoe on one interface, nothing else is connected to the opn box, the pppoe succeeds only after a fresh reboot. As soon as clicking disconnect (or pulling network cable out), then clicking connect, and the session repeatdly fails to connect, for hours..

this is a sample log:

http://pastebin.com/bR48fySu

with ips replaced A.B.C.D (ip isp assigns the opn), and X.Y.Z.X (ip isp's gateway).

Any ideas?

[44bsd]

Hi,

Having issues installing/booting, and trying now to mount the image, but for some reason it doesn't work on ubuntu 16.4TLS.

Solution below.

Code Select Expand

root@stormy-D600:~# ls -l OPNsense-17.1.r1-OpenSSL-vga-amd64.img
-rwxr-xr-x 1 root root 937420288 Jan 22 16:12 OPNsense-17.1.r1-OpenSSL-vga-amd64.img
root@stormy-D600:~# md5sum OPNsense-17.1.r1-OpenSSL-vga-amd64.img
b2b1dfba4073c865757f3491e6e35d1d  OPNsense-17.1.r1-OpenSSL-vga-amd64.img
root@stormy-D600:~# kpartx -va OPNsense-17.1.r1-OpenSSL-vga-amd64.img
add map loop0p1 (252:0): 0 1600 linear 7:0 3
add map loop0p2 (252:1): 0 126 linear 7:0 1603
add map loop0p3 (252:2): 0 1829168 linear 7:0 1729
root@stormy-D600:~# ll /dev/mapper/loop0p*
lrwxrwxrwx 1 root root 7 Jan 22 22:39 /dev/mapper/loop0p1 -> ../dm-0
lrwxrwxrwx 1 root root 7 Jan 22 22:39 /dev/mapper/loop0p2 -> ../dm-1
lrwxrwxrwx 1 root root 7 Jan 22 22:39 /dev/mapper/loop0p3 -> ../dm-2
root@stormy-D600:~# mount -o ro /dev/mapper/loop0p3 /mnt


At this point on the console getting this:

Code Select Expand

[  600.720245] ufs: You didn't specify the type of your ufs filesystem

               mount -t ufs -o ufstype=sun|sunx86|44bsd|ufs2|5xbsd|old|hp|nextstep|nextstep-cd|openstep ...

               >>>WARNING<<< Wrong ufstype may corrupt your filesystem, default is ufstype=old


trying "ls" gets:

Code Select Expand

root@stormy-D600:~# ls /mnt
ls: reading directory '/mnt': Input/output error


so, tried:

Code Select Expand

mount -o ro,ufstype=sun /dev/mapper/loop0p3 /mnt

no console error, but ls produces same error.

Trying "ufs2" fails:

Code Select Expand

root@stormy-D600:/var/log# mount -o ro,ufstype=ufs2 /dev/mapper/loop0p3 /mnt
mount: wrong fs type, bad option, bad superblock on /dev/mapper/loop0p3,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.


Finally, tried:

Code Select Expand

mount -o ro,ufstype=44bsd /dev/mapper/loop0p3 /mnt

able to mount and ls fine:

Code Select Expand

root@stormy-D600:~# ls /mnt
bin   conf       dev      etc   lib      media  proc    root  sys  usr
boot  COPYRIGHT  entropy  home  libexec  mnt    rescue  sbin  tmp  var


OK, from mount man page:

Code Select Expand

              44bsd  For filesystems created by a BSD-like system (NetBSD, FreeBSD, OpenBSD).

              ufs2   Used in FreeBSD 5.x supported as read-write.


just remember to select 44bsd :)

Thanks.

Hi there,

I'm new, and trying to navigate the website it APPEARS right now that there are 3 or maybe more seemingly different websites, as follows:

1) Main website: opnsense.org
2) Forum: forum.opnsense.org
3) docs: docs.opnsense.org

it appears that there is no way to CLICK from one to another and back to the other(s).. 

I think it helps a lot if from forum, u can click the main, docs, or even just main, then from docs can go to main, and not just trapped in docs forever..

Not suggesting a redesign, just an icon that links to main, or docs, or forum from each one, can even be the opnsense logo itself..

downloaded the latest "vga" 17.1 RC1 image (confirmed the MD5sum is OK), dd'd into a USB stick, put into a small Intel dedicated box, with 8GB / 128GB SSD, see the menu, choose "1", it prints a bunch of lines:

/boot/kernel/*.ko size ... at ...
then:
Booting...

with some info about EFI, but nothing changes after that.  The box has an HDMI connection that is connected to a monitor.

1) Does the "vga" version imply i must actually use a "VGA" connection?

2) How to debug this? 

Here is what I did so far:

Tried in more options to turn "Verbose", but get no more info.

The usb light is not blinking so i know it's not reading from it...

on last lines it says: Dimentions 800 x 600

but this TFT display is 7" and specs say 800x480, could that be it?

is there a way to boot with different resolution?

Took the USB and tried to mount it error must specify the ufs type (on ubunto), got it to work with:

mount -t ufs -o ro,ufstype=sun /dev/sdb3 /mnt

but then ls on /mnt returns many errors of incorrect size and Input/Output error...

also same errors happen when taking the OPNSense*.img and trying:

kpartx -va OPNs...

it gets the /dev/mapper/loop0p1 & loop0p2, but same errors when mounting p2..    how is it possible to loop mount the image?  Just to look around and see if there is anything about resolution.

meanwhile searching for a larger/standard monitor.

Stormy.

I'm assessing if OPNSense can accomplish the seeming (to me) simple requirements that I have on my network.

I have 2 different ISPs, so need WAN1 and WAN2, clearly that is not an issue with MultiWAN support.

However, I got it setup using other dd-wrt/tomato and other methods, the problem start after this is setup :)  As follows:

1) I have several VPN clients/devices, like CISCO phone, or smartphones trying to get VPN tunnel while going through the router/firewall (opnsense in future maybe).   This WORKS, but, only for a few minutes, b/c sooner or later, the IPs change for the client, and that breaks the VPN tunnel, so the clients repeatedly disconnect/reconnect. 

Can opnsense assure a particular client a "fixed" WAN so that VPN will work without breaking?

2) Even withOUT vpn in the mix, a simple download of a large OS ISO, like 4GB, from a browser, the download often gets stuck, b/c the backend server probably sees my ip changing periodically and drops the connection..

Can opnsense somehow automatically detect such "sessions" and keep them with same IP, OR, do i have to assign each PC on the network to a given WAN and if that WAN goes down, only then it will flip it to WAN2?


3) The tomato/multiwan packages on home-grade routers have a MAC or IP filter (as part of multiwan support), and that SORT of works, but two things:

  a) Due to low powered CPU, they have a lot of FALSE negatives appear with regards to WAN1 or WAN2 being DOWN, and then, again, the traffic is impacted.  In other words, the algorithm to detect if WAN1 or WAN2 are down is broken, and thus causes disconnects. Setting detection to 1 minute causes disconnects almost every 4-5 minutes, and raising it to 10 minutes, causes disconnects every 30-45 minutes, but recovering from such a false "outages" is also long (b/c 10 minutes have to pass before the next check is initiated :) :), and of course all that time, both WANs are totally fine, something with the way they check ping/traceroute is broken... so for now, had to totally disable detection of wans offline :) :)   Lets assume the WAN IPs are fixed/given to me by ISP, and link connection will always be UP, still internet may not work, due to many reasons :)

  b) If WAN1 is REALLY down (no network), and the filter is set to route say MAC3 to WAN1 (so as to keep vpn from failing as described above), then MAC3 is now totally disconnected, their code is not smart enough to realize that WAN2 is UP, and it can route to it, until which time that WAN1 is back online, then put MAC3 on WAN1 again :)

Can opnsense quickly and reliably detect wans going down (no interenet), and in that case, can they re-route on working WANs? and return to original WAN once it is back and active?

I feel somewhat stupid asking such things, b/c it sounds like obvious requirements to me :), but as found out, that is not the case in multiwan implementations that I've tested :)

Thanks for any tips...

Stormy